Closed MillianoConti closed 5 years ago
Auditing time is 2 days
@MrCrambo assigned
Auditing time: 3 days.
@danbogd assigned
My report is finished
audit time 2 days
@RideSolo assigned
My report is finished.
Humanity smart contract security audit report performed by Callisto Security Audit Department
Commit hash 9e66de601937cc1aae40ee95e52f2f44343fae24.
In total, 6 issues were reported including:
1 medium severity issues.
4 low severity issues.
1 notes.
No critical security issues were found.
The fallback function defined in PayableHumanityApplicant
for the contract to receive ether is not safe for users, any ether sent through the fallback function will be taken by the next user or attacker that calls applyWithEtherFor
since uniswap function ethToTokenSwapOutput
uses only msg.value
and not the contract balance to make the external call. (please note that any remaining ether in the contract is sent back to the msg.sender
including the eth received through the fallback function).
An anybody, who send Ether to contract address may lose it because of no payment processing in contract code.
To apply for a new proposal using applyFor
function member of HumanityApplicant
contract, a token fee should be transferred to the contract prior to the function call.
If the required fee to open a proposal is higher than the balance of contract the tokens are taken from the msg.sender
wallet using transferFrom
(assuming that the user preapproved the tokens transfer). Since the function applyFor
uses the balance of the contract first then any one can exploit this logic by checking for direct proposal fees deposit using transfer to the contract and setting a front running attack to pass his proposal without paying the fees.
https://github.com/marbleprotocol/humanity/blob/master/contracts/HumanityApplicant.sol#L29#L37
transferFrom
should be used in both cases, meaning that no condition must be checked to allow the transferFrom
.Function setResult
could be called by anyone and anytime result could be changed to false.
There is no zero address checking in function applyWithEtherFor
Add zero address checking
require(who != address(0));
As raised by the compiler "Experimental features are turned on. Do not use experimental features on live deployments" the audited code uses ABIEncoderV2 that is in experimental phase and should not be deployed in a live network.
pragma experimental ABIEncoderV2;
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/yuriy77k/ad6c3f3af65d01757eea28354da70d39
https://gist.github.com/yuriy77k/e243dbb606ae384b2f668c7fc4875e75
https://gist.github.com/danbogd/f7462aa1d2073a4fa3dc560df09d201c
Audit request
HumanityDAO is a standard for unique identity on Ethereum. The Humanity registry can serve as the foundation for Sybil-resistant protocols including Universal Basic Income, credit, democratic voting, and more.
Source code
https://github.com/marbleprotocol/humanity/tree/master/contracts
Disclosure policy
https://discordapp.com/invite/yvUqPUn
Contact information (optional)
https://www.reddit.com/r/HumanityDAO/
Platform
Eth
Number of lines:
428